Downloading SSL server certificates to iOS/Android app

Question

We have developed an app for both iOS and Android that communicates with a server via REST calls. In order for a user to be able to login for the first time to the app, they have to first download the server's SSL certificate (via https connection on browser or using openssl, download in DER format) and manually load the certificate into a folder on the device (by connecting the device to a computer and accessing its storage). The app, at login, will check that folder and if the correct certificate is in there the user will be able to login... Any subsequent logins, the users will not have to load the certificate again.

Now I was wondering if there is a way to automate the manual process I outlined above? It's a pretty tedious process, especially for a mobile app.

For example, connect to the server and download the certificate straight to the device... but does this kind of method have security risks?

Thanks

Answer 1

try this

HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
            DefaultHttpClient client = new DefaultHttpClient();
            SchemeRegistry registry = new SchemeRegistry();
            SSLSocketFactory socketFactory = SSLSocketFactory
                    .getSocketFactory();
            socketFactory
                    .setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
            registry.register(new Scheme("https", socketFactory, 443));
            SingleClientConnManager mgr = new SingleClientConnManager(
                    client.getParams(), registry);
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient(mgr,
                    client.getParams());
            HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);